An ADM assessment is the board approval test for a proposed significant, solely automated decision about a person. It checks Article 22A scope, Article 22B conditions, special-category data, Article 22C safeguards, DPIA evidence, and whether human review works before deployment.
For this article, automated decision-making means the UK GDPR category the ICO uses for decisions about people made through solely automated processing, including profiling, where the decision has legal or similarly significant effects. The ICO's draft guidance says the provisions apply only when the system makes a decision about a person, the decision is significant, and there is no meaningful human involvement. ICO: what is ADM
Key takeaways
- Section 80 of the Data (Use and Access) Act 2025 substituted the old UK GDPR Article 22 regime with Articles 22A to 22D, and was fully in force on 5 February 2026 through regulation 2(j) of S.I. 2026/82. Data (Use and Access) Act 2025 section 80 S.I. 2026/82 regulation 2
- The first board question is scope: is the system making a decision about a person, is the effect legal or similarly significant, and is the decision solely automated rather than subject to active human judgement? ICO: what the UK GDPR says about ADM
- Special-category data changes the approval threshold. The ICO's draft guidance says significant solely automated decisions using that data can proceed only under specified conditions, with explicit consent, contract, or law-based routes treated separately from ordinary Article 6 lawful bases. ICO: special-category data in ADM
- Safeguards are not a policy sentence. Article 22C requires information about the decision, a route for representations, human intervention, and contestability, and the ICO says these must be applied consistently. ICO: ADM safeguards
- The ICO consultation on updated automated decision-making guidance closed at 23:59 GMT on 29 May 2026, and the consultation page records status Closed with ICO page metadata dated 16 June 2026. ICO consultation page
What an ADM assessment decides
The board is not being asked to approve a model. It is being asked to approve a decision process that may affect a person. That distinction matters because Article 22A defines a significant decision by its effect on the data subject, not by the sophistication of the technology, and the ICO draft guidance says systems do not need to involve complex algorithms or AI to fall within scope. Data (Use and Access) Act 2025 section 80 ICO: what is ADM
The assessment should answer five questions before a system is approved. First, what is the actual decision, not merely the output or score? The ICO says a decision is a conclusion or outcome that may influence actions or engage a person's rights. Second, who is affected? The provisions are about decisions concerning people, so the board pack needs to identify the data subjects and the impact on them. Third, is the effect legal or similarly significant? The ICO lists examples including access to public services, benefits, licences, credit, employment, health, education, housing and essential services. ICO: what the UK GDPR says about ADM
Fourth, is there meaningful human involvement before the decision is applied? The ICO says active review requires a person who can influence the outcome, has discretion and authority to alter it, is trained to understand the system, and reviews the relevant data and factors. Spot-checking and review only after challenge do not turn a solely automated decision into a human decision. ICO: what the UK GDPR says about ADM
Fifth, does the process use special-category data, including inferred data? The ICO's draft guidance treats inferences linked to special categories as special-category data where the organisation intends to infer or treat someone differently on that basis. If that risk exists, the board pack needs a separate Article 22B analysis rather than a general statement that the model does not store a protected attribute. ICO: special-category data in ADM
The board approval test
A practical board test has three outcomes: approve, approve with conditions, or decline until the evidence changes. The route should be stricter than ordinary tool adoption because the legal trigger is the effect on a person. If the decision is not significant, the issue may belong in the wider AI policy and risk register. If it is significant but there is meaningful human involvement before the decision takes effect, the board should still record the control, because the ICO says the organisation should keep evidence of how the human was involved. ICO: what the UK GDPR says about ADM
Where the decision is significant and solely automated, the board should require a lawful basis under Article 6, the relevant Article 22B position where special-category data is involved, and a DPIA where the processing is likely to result in high risk. The ICO's DPIA guidance remains under review after the DUAA, but it still directs organisations to identify high-risk processing, describe the processing, assess necessity and proportionality, identify risks, record mitigations, and conclude the assessment. ICO: lawfulness ICO: DPIAs
The board should also ask whether the recognised legitimate interest lawful basis is being used. Article 22B prohibits a significant decision based solely on automated processing where the processing for the decision relies entirely or partly on Article 6(1)(ea), and the ICO guidance repeats that recognised legitimate interest cannot be used for this purpose. Data (Use and Access) Act 2025 section 80 ICO: what the UK GDPR says about ADM
The approval minute should be narrow. It should name the decision, the population affected, the lawful basis, the special-category position, the safeguard owner, the review route, and the evidence date. That minute then feeds the AI risk register generator rather than sitting as a disconnected board paper.
Controls and evidence for the board pack
The board pack should be short enough to read and exact enough to audit. A paper conclusion that "human oversight exists" is not evidence. The ICO's safeguard guidance says people must receive decision-specific information, be able to make representations, obtain human intervention, and contest the decision, and it expects an audit trail that shows key decision points and factors. ICO: ADM safeguards
| Board question | Evidence to include | Named owner |
|---|---|---|
| What decision is being automated? | Decision definition, affected population, data inputs, profiling explanation, and whether the output controls access to a service, benefit, role, credit, housing, education, health intervention, or other significant outcome | Product or service owner |
| Why is it lawful? | Article 6 lawful basis, Article 22B route if special-category data is used, Article 9 and Schedule 1 condition where relevant, legitimate-interests assessment where used, and why less intrusive alternatives do not meet the purpose | DPO or privacy lead |
| Is human involvement meaningful? | Reviewer role, training record, decision-stage workflow, authority to change the outcome, sample reviewed records, and evidence that review happens before the decision is applied | Accountable executive |
| What safeguards work in practice? | Decision notice, route for representations, human-intervention process, contest route, response standards, and records of exercised rights | Customer, tenant, employee or service lead |
| What residual risk remains? | DPIA conclusion, equality or fairness testing where relevant, model or rule-change history, incident route, and risk-register entry linked to board approval | Risk owner |
The same evidence should be written into procurement where a supplier provides the automated process. A vendor assurance note should state who controls the decision, what data the supplier processes, whether profiling is involved, whether special-category data can be inferred, and whether the organisation can generate the Article 22C explanation and audit trail. The broader regulatory context for this "no single AI Act, but existing law applies now" position is set out in our guide to UK AI regulation for boards.
Framework mapping: UK GDPR, DPIA, ISO 42001 and NIST
The framework mapping is not decoration. It tells the board which evidence artefact satisfies which obligation or standard. ISO/IEC 42001 is an international AI management-system standard for establishing, implementing, maintaining and continually improving an AI management system, and ISO describes it as applicable to organisations providing or using AI-based products or services. NIST's AI RMF Core organises AI risk work through Govern, Map, Measure and Manage functions. ISO/IEC 42001 NIST AI RMF
| Framework or duty | What it asks for in this context | Board evidence |
|---|---|---|
| UK GDPR Articles 22A to 22D | Scope, restrictions, safeguards, and possible future regulations about meaningful human involvement and significant effects | Article 22A to 22D decision note, safeguard design, legal basis and special-category analysis |
| DPIA | High-risk personal-data processing described, tested for necessity and proportionality, risk assessed, mitigations recorded, and conclusion reached | DPIA signed by the DPO or privacy lead, with unresolved risks escalated |
| ISO/IEC 42001 | An AI management system with policy, objectives, risk treatment, documented information, performance evaluation and continual improvement | System-register entry, policy mapping, controls, review schedule and management-review record |
| NIST AI RMF | Govern the context, Map the system and risks, Measure performance and harms, and Manage prioritised risks | Risk-register entry tied to controls, metrics, issue owners and review dates |
This is also where boards should avoid duplicating paperwork. A single evidence pack can serve the UK GDPR approval, the DPIA, the AI governance framework, and the risk register if each artefact has a named owner and a date. The standard to meet is not volume. It is traceability: a reader should be able to move from the board decision to the operational control and then to evidence that the control ran.
Common mistakes and the next step
The first mistake is treating a model score as if it is not a decision. The ICO's draft guidance looks at whether the system reaches a conclusion or outcome that may influence actions or engage rights, so a "recommendation" that is normally followed can still need analysis. ICO: what the UK GDPR says about ADM
The second mistake is treating special-category data as absent because the input form does not ask for it. The ICO guidance says inferred data can be special-category data where the organisation intends to make or use an inference linked to one of the protected categories, so the assessment must look at features, proxies and downstream treatment. ICO: special-category data in ADM
The third mistake is relying on a challenge route as proof of human involvement. Human intervention after the decision is an Article 22C safeguard, while meaningful human involvement is part of deciding whether the decision was solely automated in the first place. The ICO guidance separates those concepts, and the board pack should do the same. ICO: ADM safeguards ICO: what the UK GDPR says about ADM
The fourth mistake is approving a system without a review clock. The ICO consultation closed on 29 May 2026 and the guidance remains draft while the ICO finalises its update. That means every approval made now should carry a review trigger for the final guidance and any Article 22D regulations. ICO consultation page Data (Use and Access) Act 2025 section 80
If you need to decide whether your current AI use creates automated-decision risk, start with the Board AI Scorecard. If the decision involves people, special-category data, or material service access, the paid AI governance diagnostic maps the decision to UK GDPR, the DPIA, controls, evidence and the board approval record. You can also see how we treat evidence and audit trails on our trust page and services page.
Last reviewed: 18 June 2026.
Sources: Data (Use and Access) Act 2025 section 80 · S.I. 2026/82 regulation 2 · ICO ADM hub · ICO: what is ADM · ICO: what the UK GDPR says about ADM · ICO: lawfulness · ICO: special-category data in ADM · ICO: ADM safeguards · ICO consultation page · ICO DPIA guidance · NIST AI RMF · ISO/IEC 42001
